Description

Improve the testing of the helm chart by building the images for init containers and pushing them to the registry available within the workflow to then use those images for the test of the helm install.

Once that is enabled, also the release process should be improved to release the helm chart and build the pinned docker images in one workflow, see example

Benefits

• improved automated tests (as otherwise always need to be built before testing)
• improve release process (as otherwise the image build needs to be triggered in an additional step)

There are a couple of files, where year ranges should be adapted

Connect the team dev env. with the current used wallet solution (DIM - decentral identity management)

There is a Chart directory located in the docs folder with a (maybe) copy of the IAM chart.
Also, there is portal-iam-helm-chart.md containing a link, that seems like it should point to that chart. But it is pointing to a non-existing directory

Text: The chart is implemented here.

Description

As OSP,
I want to create and configure managed IDP with technical user Registration External or otherwise,
so that I can automate the onboarding/invite flow without having to manually access portal.

Acceptance Criteria

• Setting up managed IDP via technical user is possible
• Configuration managed IDP via technical user is possible
• Response provides all details required to automate this process

Additional Information

Easiest way to make this possible is probably to add

• add_idp
• view_managed_idp
• setup_idp
• delete_idp
• disable_idp
  (not 100% sure what is required to create managed idp) as roles to Registration External technical user available to OSP.

@jjeroch @evegufy @MaximilianHauer
Maybe there is a better way. Manually adding each IDP via portal user seems clunky.

QG checks

Please keep this issue open until QG is concluded and will be managed by the Issue Creator!
We will inform you about finding and proposals in separated issues, this issue here is for the Overview of the Checks!

Please keep this issue open until QG is concluded!

Product Owner: @jjeroch
Dev SPOC:
Helm Chart Version: 2.0.0
App Version: 2.0.0

Release Managemnet Reference Issue: eclipse-tractusx/sig-release/issues/106

Check of Tractus-X Release Guidelines

• Currently implemented automatic checks can be found under your product on our Release Guidelines Checks Board
• This QG Check is depending on the mandatory information from our current Release Guidelines

TRG 1 Documentation

• TRG 1.01 appropriate README.md
• TRG 1.02 appropriate install instructions either INSTALL.md or in README.md
• TRG 1.03 appropriate CHANGELOG.md

back on top

TRG 2 Git

• TRG 2.01 default branch is named main
• TRG 2.03 repository structure
• TRG 2.04 leading product repository
• TRG 2.05 .tractusx metafile in a proper format

back on top

TRG 3 Kubernetes

• TRG 3.02 persistent volume and persistent volume claim is used when needed

back on top

TRG 4 Container

• #36
• TRG 4.02 base image is agreed
• TRG 4.03 image has USER command and Non Root Container
• TRG 4.05 released image must be placed in DockerHub, remove GHCR references
• TRG 4.06 separate notice file for DockerHub has all necessary information

back on top

TRG 5 Helm

• TRG 5.01 Helm chart must be released
• TRG 5.02 Helm chart location in /charts directory and correct structure
• TRG 5.04 CPU / MEM resource requests and limits and are properly set
• TRG 5.06 Application must be configurable through the Helm chart
• TRG 5.07 Dependencies are present and properly configured in the Chart.yaml
• TRG 5.08 Product has a single deployable helm chart that contains all components
• TRG 5.09 Helm Test running properly
• TRG 5.10 Products need to support 3 versions at a time
• TRG 5.11 Upgradeability

back on top

TRG 6 Released Helm Chart

• TRG 6.01 Released Helm Chart

back on top

TRG 7 Open Source Governance

• TRG 7.01 Legal Documentation
• TRG 7.02 License and copyright header
• TRG 7.03 IP checks for project content
• TRG 7.04 IP checks for 3rd party content
• TRG 7.05 Legal information for distributions
• TRG 7.06 Legal information for end user content
• TRG 7.07 Legal notice for documentation

back on top

Hints

Information Sharing

I'll use this template, to make it easier to track progress on non-leading repos

Leading Portal QG issue: eclipse-tractusx/portal#203

Check of Tractus-X Release Guidelines

• Currently implemented automatic checks can be found under your product on our Release Guidelines Checks Board
• This QG Check is depending on the mandatory information from our current Release Guidelines

TRG 1 Documentation

• TRG 1.01 appropriate README.md
• TRG 1.02 appropriate install instructions either INSTALL.md or in README.md
• TRG 1.03 appropriate CHANGELOG.md
• TRG 1.04 editable static files

TRG 2 Git

• TRG 2.01 default branch is named main
• #55
• TRG 2.04 leading product repository
• TRG 2.05 .tractusx metafile in a proper format

TRG 3 Kubernetes

• TRG 3.02 persistent volume and persistent volume claim is used when needed

TRG 4 Container

• TRG 4.01 semantic versioning and tagging
• TRG 4.02 base image is agreed
• TRG 4.03 image has USER command and Non Root Container
• TRG 4.05 released image must be placed in DockerHub, remove GHCR references
• TRG 4.06 separate notice file for DockerHub has all necessary information

TRG 5 Helm

• TRG 5.01 Helm chart requirements
• TRG 5.02 Helm chart location in /charts directory and correct structure
• TRG 5.03 proper version strategy
• #54
• TRG 5.06 Application must be configurable through the Helm chart
• TRG 5.07 Dependencies are present and properly configured in the Chart.yaml
• TRG 5.08 Product has a single deployable helm chart that contains all components
• TRG 5.09 Helm Test running properly
• TRG 5.10 Products need to support 3 versions at a time
• TRG 5.11 Upgradeability

TRG 6 Released Helm Chart

• TRG 6.01 Released Helm Chart

TRG 7 Open Source Governance

• TRG 7.01 Legal Documentation
• #53
• TRG 7.03 IP checks for project content
• TRG 7.04 IP checks for 3rd party content
• #52
• TRG 7.06 Legal information for end user content
• TRG 7.07 Legal notice for documentation
• TRG 7.08 Legal notice for KIT documentation

Hints

Information Sharing

Description

Move IAM seeding job from portal backend repo to portal-iam repository

Prerequisite: eclipse-tractusx/portal-backend#611

Benefits

• More transparency and easier understanding as the code is stored and maintained in the same repository where it's used
• Clearer delineation between Portal and IAM

Summary

Update the keycloak image for release candidate 24.03.
NOTE - all changes are needed on the generic image

Details

FIX needed for existing permission assignment

• IT Admin - Add Permission

  • delete_user_account
  • delete_own_user_account
  • view_service_marketplace
  • view_service_offering
  • subscribe_service
  • view_service_subscriptions
  • view_membership
  • delete_notifications

• Business Admin - Add Permission

  • delete_own_user_account
  • view_user_management
  • view_connectors
  • view_apps
  • view_subscription
  • view_app_subscription
  • view_autosetup_status
  • view_service_marketplace
  • view_service_offering
  • view_service_subscriptions
  • view_company_data
  • view_use_case_participation
  • view_certificates

Changes due to new BPDM Gate/VAS Service Request

• add new role inside client "technical_user_management"
  • BPDM Gate read
  • BPDM Gate read&write
    assign following permissions to the new role "BPDM Gate read"
  • client "BPDM Partner Gate" permission "view_company_data"
• assign following permissions to the new role "BPDM Gate read&write"
  • client "BPDM Partner Gate" permission "view_company_data"
  • client "BPDM Partner Gate" permission "update_company_data"
  • client "BPDM Partner Gate" permission "view_shared_data"

Documentation needs a clear information that this solution does not support client separation

Changes due to new feature Wallet UI

• add the permission "view_wallet" of Cl5-CX-Custodian to all composite role of the client Cl-CX2-Portal

NEW due to implementation of Certificate Management

create new permission

• "view_certificates"
• "upload_certificates"
• "delete_certificates"

inside the client Cl-CX2-Portal

and assign the new permission to all following Cl-CX2-Portal composite roles

• "view_certificates" - to all composite roles
• "upload_certificates" - to company admin, business admin and purchaser
• "delete_certificates" -to company admin, business admin and purchaser

Description

The Rights and Roles Concept should be moved into markdown tables.

Please also make sure that the screenshots of the R&R concept in portal-assets (to be shown in portal-frontend) are still possible after the move to md tables (shouldn't be an issue, but mentioning it anyway): https://github.com/eclipse-tractusx/portal-assets/tree/v2.0.0/public/assets/images/content

Why?

• Bad maintainability and searchability
• Also, by the end of the year the Consortia Confluence Instance is going to be shut down, so no option to make screenshots anymore

Description

Once the enhancement of the seeding job done in the course of eclipse-tractusx/portal-backend#438 is implemented, the IAM helm charts (centralidp and sharedidp) need to be enabled for this change.

Description

Upgrade centralidp and sharedidp to Keycloak version 24.
The latest version at this point in time is 24.0.2 (corresponding to Bitnami chart version 21.0.0)

Important: the Postgres version of the dependency needs to remain 15 (as that's the aligned version in TRG 5.07) and the Bitnami chart has already moved on to Postgres version 16 in the subchart.

Acceptance Criteria

• App version has been upgraded to v24
• Postgres version of the dependency is still 15

Benefits

Keeping up to date with the latest Keycloak releases offers several benefits like security patches and bug fixes as well as new features, see release notes.

release.yaml workflow doesn't create expected multiple container tags, like

• x
• x.y
• x.y.z

Instead, only x.y.z + latest tags will be created: https://hub.docker.com/r/tractusx/portal-iam/tags?page=1&name=v1

Description

At the moment the rights and roles expected in the default BPDM configuration do not match entirely the configuration of the Central-IDP.

1. There is no client and therefore no roles for the BPDM Orchestrator component as specified here.
2. Like mention in #146 there are no dedicated technical users seeded for establishing an authenticated golden record process
3. There is no technical user for the BPDM provider EDC to create an offer allowing access to the Pool member data

Aligning BPDM and Central-IDP reduces the initialization and configuration overhead. Therefore, I propose to fill the gap between the two systems to enhance the experience of the operators.

Acceptance Criteria

• Add a client for the BPDM Orchestrator component containing the client roles as described in the permissions here.
• Add Orchestrator roles to the technical_roles_management client according to the specification above
• Add a service account for the Portal Gate to access the Orchestrator having the Orchestrator role 'Task Creator'
• Add a service account for the Portal Gate to access the Pool having the Pool role 'Consumer'
• Add a service account for the Cleaning Service Dummy to access the Orchestrator having the Orchestrator roles 'Clean Task Processor' and 'CleanAndSync Task Processor'
• Add a service account for the Pool to access the Orchestrator having the Orchestrator role 'PoolSync Task Processor'
• Add a service account for the BPDM provider EDC having the Pool role 'Member Consumer'

Additional Information

The password reset image for users invited via the portal application is broken.
We need to get this fixed

as-is

to-be

Summary

Keycloak Image finalization for release 24.03.
Additional changes found as part of the e2e test are documented in this ticket and need to get applied before the release 24.03. is closed

Details

• username mapper for identity providers have been removed from the seeded idps on generic and consortia instances
• attribute bpn got updated to BPNL00000003CRHK for user cx-operator.656e8a94-188b-4a3e-9eec-b45d8efd8347 for consortia (generic was already in place)
• add role view_company_data of client Cl16-CX-BPDMGateto security-company.555b0b81-6ead-4d3d-8d5d-41c07bb8cfbc user for consortia
• add Policy Hub client with view client role and assign to default role
• adjust the seeding configuration for the Client ID mapper
  • change user.session.note value from clientId to client_id
  • change claim.name value from clientId to client_id
• assign to the role Offer Management under client technical_user_management the following two permissions of the Cl2-CX-Portal client: view_tech_user_management; app_management
• assign the permission configure_partner_registration to the composite role Registration External inside the client technical_user_management
• add role view_managed_idp to CX Admin

add role view_managed_idp to Company Admin & IT Admin --> informative because already in place

Linked Tickets

#46

https://eclipse-tractusx.github.io/docs/release/trg-5/trg-5-04

Is there is a reason why not using ressource requests/limits

Current Behavior

When doing the callback from the dim middle layer we receive a 403, this is due to a missing role technical_roles_management (Client: Cl2-CX-Portal) of the user sa-cl2-05.

Expected Behavior

The callback is executed successfully without a 403

Steps To Reproduce

Create a technical user in the dim. The callback process step fails.

Validation needed

Situation:

• on INT the CX Operator can access the portal page /admin-credential
• on DEV the CX Operator can not access the portal page /admin-credential
• on DEV-RC the CX Operator can not access the portal page /admin-credential

Expectation:

• user can access the page

Waiting for eclipse-tractusx/portal-frontend#873 to get merged to revalidate the access afterwards

Description

Currently this repo hosts helm charts and config, due to the move of the seeding job additional workflow need to be enabled.

Acceptance Criteria

• foss checks - e.g. dependencies
• build of docker images
• security scans

Additional Information

Relates to eclipse-tractusx/portal-backend#611

Description

As a BPDM architect,
I want that a technical user for Portal role "BPDM Sharing Output Consumer" is automatically created when a company admin subscribes to BPDM / Golden Record Service,
so that the company admin does not need to do this manually. This is already done for "BPDM Sharing Input Manager", so-called technical user of type MANAGED.

Additionally, I want that ClientID / Secret of technical users for both Portal roles "BPDM Sharing Output Consumer" and "BPDM Sharing Input Manager" are NOT shown in Portal "Technical User Management", so that the company admin / sharing member does not see these credentials, as they are only used by the operator of BPDM to configure the BPDM EDC data assets.

Acceptance Criteria

• [criteria 1] technical users for "BPDM Sharing Output Consumer" and "BPDM Sharing Input Manager" MUST BE created automatically on subscribing to BPDM
• [criteria 2] credentials of technical users for "BPDM Sharing Output Consumer" and "BPDM Sharing Input Manager" MUST NOT be shown to company admin (or any other role of the Sharing Member)
• [criteria 3] company admin (or any other role of the Sharing Member) MUST NOT create technical users for "BPDM Sharing Output Consumer" and "BPDM Sharing Input Manager"
• [criteria 4] technical users for "BPDM Sharing Output Consumer" and "BPDM Sharing Input Manager" MUST BE accessible by BPDM operator to create EDC data offers

Additional Information

see eclipse-tractusx/sig-release#751

Description

Upgrade centralidp and sharedidp to Keycloak version 23.
The latest version at this point in time is 23.0.7 (corresponding to Bitnami chart version 19.3.0)

Important: find a solution for the fact the Postgres version of the dependency needs to remain 15 (as that's the aligned version in TRG 5.07) as the Bitnami chart version 19.3.0 has already moved on to Postgres version 16 in the subchart.

Acceptance Criteria

• App version has been upgraded to v23
• Postgres version of the dependency is still 15

Additional information

v24 has been released on March 4, 2024

To support the deletion of a technical user of the dim application a new role is needed for the DIM-Middle-Layer Client.

The new role is delete_technical_user.

The role needs to be only created on int, dev and rc environment. We don't need to include it in the release.

Hey @evegufy,

Seems the following headers contain wrong reference to Catena-X, would be great to change it to Eclipse Foundation:

import/keycloak-themes/catenax-central/login/resources/css/Main.css
import/keycloak-themes/catenax-shared/login/resources/css/Main.css
import/keycloak-themes/catenax-shared-portal/login/resources/css/Main.css

Updates #14

Current Behavior

CX Admin does not have

• 'Cl2-CX-Portal'
  • 'upload_certificates'

Expected Behavior

CX Admin has all Cl2-CX-Portal roles (please correct me if this is intended and close issue)

Steps To Reproduce

Create user with only CX Admin role.

Current Behavior

"Update your password" theme is broken, especially the "Submit" isn't clickable

https://github.com/eclipse-tractusx/portal-iam/blob/main/import/keycloak-themes/catenax-shared/login/resources/js/Main.js

Expected Behavior

Update of password using catenax-shared/login is possible

Steps To Reproduce

Detected in v3.0.0-rc.1

Additional information

Presumably due to Keycloak upgrade from v22 to v23

QG checks

Please keep this issue open until QG is concluded and will be managed by the Issue Creator!
We will inform you about finding and proposals in separated issues, this issue here is for the Overview of the Checks!

Please keep this issue open until QG is concluded!

Product Owner:
Dev SPOC:
Helm Chart Version:
App Version:

Check of Tractus-X Release Guidelines

• Currently implemented automatic checks can be found under your product on our Release Guidelines Checks Board
• This QG Check is depending on the mandatory information from our current Release Guidelines

TRG 1 Documentation

• TRG 1.01 appropriate README.md
• TRG 1.02 appropriate install instructions either INSTALL.md or in README.md
• TRG 1.03 appropriate CHANGELOG.md

back on top

TRG 2 Git

• TRG 2.01 default branch is named main
• TRG 2.03 repository structure
• TRG 2.04 leading product repository
• TRG 2.05 .tractusx metafile in a proper format

back on top

TRG 3 Kubernetes

• TRG 3.02 persistent volume and persistent volume claim is used when needed

back on top

TRG 4 Container

• TRG 4.01 semantic versioning and tagging
• TRG 4.02 top level README.md file or separate README.md file for DockerHub, that contains information about the used base image
• TRG 4.03 image has USER command and Non Root Container
• TRG 4.05 released image must be placed in DockerHub, remove GHCR references
• TRG 4.06 notice file for DockerHub has all necessary information

back on top

TRG 5 Helm

• TRG 5.01 Helm chart must be released
• TRG 5.02 Helm chart location in /charts directory and correct structure
• TRG 5.04 CPU / MEM resource requests and limits and are properly set
• TRG 5.06 Application must be configurable through the Helm chart
• TRG 5.07 Dependencies are present and properly configured in the Chart.yaml
• TRG 5.08 Product has a single deployable helm chart that contains all components
• TRG 5.09 Helm Test running properly
• TRG 5.10 Products need to support 3 versions at a time
• TRG 5.11 Upgradeability

back on top

TRG 6 Released Helm Chart

• TRG 6.01 Released Helm Chart

back on top

TRG 7 Open Source Governance

• TRG 7.01 Legal Documentation
• TRG 7.02 License and copyright header
• TRG 7.03 IP checks for project content
• TRG 7.04 IP checks for 3rd party content
• TRG 7.05 Legal information for distributions
• TRG 7.06 Legal information for end user content
• TRG 7.07 Legal notice for documentation

back on top

Hints

Information Sharing

Current Behavior

Submission of framework credential fails

Expected Behavior

Submission of framework credential is successful

Additional information

The composite roles CX Admin, Company Admin, IT Admin and Business Admin miss the request_ssicredential role from Client Cl24-CX-SSI-CredentialIssuer

Detected in version 3.0.0

Dockerfile.import and Dockerfile.consortia.import
are published on DockerHub, but do not contain legal documentation like NOTICE.md, LICENSE and so on

Current Behavior

2024-07-22 11:05:46.581 GMT [94] LOG: checkpoint starting: time
2024-07-22 11:05:51.298 GMT [94] LOG: checkpoint complete: wrote 46 buffers (0.3%); 0 WAL file(s) added, 0 removed, 0 recycled; write=4.635 s, sync=0.010 s, total=4.717 s; sync files=38, longest=0.006 s, average=0.001 s; distance=184 kB, estimate=184 kB
2024-07-22 11:06:21.241 GMT [750339] ERROR: duplicate key value violates unique constraint "uk_b71cjlbenv9xxxxxxxxxxxxxxx"
2024-07-22 11:06:21.241 GMT [750339] DETAIL: Key (realm_id, client_id)=(master, saidp1) already exists.
2024-07-22 11:06:21.241 GMT [750339] STATEMENT: insert into CLIENT

Expected Behavior

It should create a new realm and send email to the user with invitation

Steps To Reproduce

Current Behavior

Results does not return anything for companies with special characters, for example: L'évasion Parisienne

Expected Behavior

Ideally, companies regardless of the umlaut/special characters "éöäü" should validate as characters.

Steps To Reproduce

• Open portal -> redirection to central idp
• Search for a company that contains special characters or umlauts (if available, if not a test company will need to be created)

Current Behavior

We are not able to access the BPDM service. We tried with all the possible roles and permissions but none has worked for us. We get always 403.

Expected Behavior

We should be able to access the BPDM service with an appropriate role.

Steps To Reproduce

Check the Partner Network in the portal or try to access the BPDM service APIs.

QG checks

Please keep this issue open until QG is concluded and will be managed by the Issue Creator!
We will inform you about finding and proposals in separated issues, this issue here is for the Overview of the Checks!

Please keep this issue open until QG is concluded!

Product Owner: @jjeroch
Dev SPOC: @evegufy
Helm Chart Version: 3.0.0 (RC3)
App Version: 3.0.0 (RC3)

Release Management Reference Issue: eclipse-tractusx/sig-release#671

Check of Tractus-X Release Guidelines

• Currently implemented automatic checks can be found under your product on our Release Guidelines Checks Board
• This QG Check is depending on the mandatory information from our current Release Guidelines

TRG 1 Documentation

• TRG 1.01 appropriate README.md
• TRG 1.02 appropriate install instructions either INSTALL.md or in README.md
• TRG 1.03 appropriate CHANGELOG.md
• TRG 1.04 editable static files

TRG 2 Git

• TRG 2.01 default branch is named main
• TRG 2.03 repository structure
• TRG 2.04 leading product repository
• TRG 2.05 .tractusx metafile in a proper format

TRG 3 Kubernetes

• TRG 3.02 persistent volume and persistent volume claim is used when needed

TRG 4 Container

• TRG 4.01 semantic versioning and tagging
• TRG 4.02 base image is agreed
• TRG 4.03 image has USER command and Non Root Container
• TRG 4.05 released image must be placed in DockerHub, remove GHCR references
• TRG 4.06 separate notice file for DockerHub has all necessary information

TRG 5 Helm

• TRG 5.01 Helm chart requirements
• TRG 5.02 Helm chart location in /charts directory and correct structure
• TRG 5.03 proper version strategy
• TRG 5.04 CPU / MEM resource requests and limits and are properly set
• TRG 5.06 Application must be configurable through the Helm chart
• TRG 5.07 Dependencies are present and properly configured in the Chart.yaml
• TRG 5.08 Product has a single deployable helm chart that contains all components
• TRG 5.09 Helm Test running properly
• TRG 5.10 Products need to support 3 versions at a time
• TRG 5.11 Upgradeability

TRG 6 Released Helm Chart

• TRG 6.01 Released Helm Chart

TRG 7 Open Source Governance

• TRG 7.01 Legal Documentation
• TRG 7.02 License and copyright header
• TRG 7.03 IP checks for project content
• TRG 7.04 IP checks for 3rd party content
• TRG 7.05 Legal information for distributions
• TRG 7.06 Legal information for end user content
• TRG 7.07 Legal notice for documentation
• TRG 7.08 Legal notice for KIT documentation

TRG 8 Security

• TRG 8.01 Mitigate high and above findings in CodeQL
• TRG 8.02 Mitigate high and above findings in KICS
• TRG 8.03 Mitigate high and above findings in GitGuardian
• TRG 8.04 Mitigate high and above findings in Trivy

Hints

Information Sharing

Description

Due to a change in how we want to license Eclipse Tractus-X, there are a couple of changes
to legal documentation in our repositories.

This issue is created for every active repository in our GitHub org, to remind everyone
about the required changes and also to track the completion of if.

If there are any reasons, why you think this change should not be applied to this repository,
document them as comment on this issue, before closing it. Be aware, that there are most likely no
exceptions for our repositories.

If you have any questions, feel free to join the weekly Community Office Hour
and raise it there.

What has to be done?

The following steps have to be completed, to fully implement the licensing change:

• Add a new file LICENSE_non-code in your repository root with the contents of the CC-BY-4.0 license
• Remove the /LICENSES directory in case you previously stored the CC-BY-4.0 license there. Make sure there is no other CC-BY-4.0 License left, other than on root as LICENSE_non-code
• Add the "Project Licenses" and "Terms of Use" sections to your CONTRIBUTING.md file. See eclipse-tractusx/sig-infra#476 for an example
• Adapt "Declared Project License" section in NOTICE.md. See eclipse-tractusx/sig-infra#476 for an example
• Please verify, your CONTRIBUTION.md does not have encoding issues. We found several occurences in repositories.

Additional information

You can find detailed information in our Release Guidelines section 7.
The changes have been introduces in eclipse-tractusx/eclipse-tractusx.github.io#856.

You can also see an example on how a repository was changed in eclipse-tractusx/sig-infra#476.

Overall progress tracked in eclipse-tractusx/sig-infra#477

Currently the initial configuration of the IAM is missing a technical user for the BPDM services to realize the golden record process.

Context

BPDM services communicate with each other over authenticated users to realize the golden record process. So in order to deploy a golden record process, a technical user with the necessary permissions needs to available.

The services expect a technical user with at least these permissions:

Cl7-CX-BPDM

• read_partner
• write_partner
• read_partner_member
• read_metadata
• write_metadata
• read_changelog
• read_changelog_member

Cl16-CX-BPDMGate

• read_input_partner
• write_input_partner
• read_output_partner
• read_input_changelog
• read_output_changelog
• read_sharing_state
• write_sharing_state
• read_stats

Suggestion for name and description:

Name: sa-cl7-cx-7
Description: Technical user for BPDM services to communicate between each other to realize the golden record process.

Current Behavior

Expected Behavior

Steps To Reproduce

Summary

Update the keycloak image for release candidate 24.05.

Details

SD Factory Tech User

• sa-cl5-custodian-1 to be removed - not needed anymore (note: already disabled the user in INT at the 24th of March to be able to test the scenario of not having this user anymore as part of the e2e tests) ✅ removed
• sa-cl5-custodian-2 - for discussion; actually interim (in release 24.05.) the connection will be stopped; afterwards it might get reconnected --> decision: stays in

Impact to portal db seeding to be checked

New Client Issuer Component

Basic

• new client for issuer component needed Cl24-CX-SSI-CredentialIssuer ✅
• add the following permissions to the new client ✅
  • request_ssicredential
  • decision_ssicredential
  • view_use_case_participation
  • view_certificates
  • revoke_credentials_issuer
  • revoke_credential
• technical user sa-cl2-04 needed (release image) which has permission to access Cl24-CX-SSI-CredentialIssuer with all its roles ✅
• technical user sa-cl24-01 needed (release image) which has permission to access Cl2-CX-Portal with the roles ✅
  • send_mail
  • create_notifications
  • update_application_bpn_credential
  • update_application_membership_credential

Add portal permissions ✅

• send_mail
• update_application_bpn_credential
• update_application_membership_credential
• store_didDocument

Role Changes

• assign new permission decision_ssicredential to the portal role CX Admin ✅

New DIM Client

Within release iam image:

• technical user sa-cl2-05 needed which has permission to access Cl2-CX-Portal with the role store_didDocument ✅

Not within release iam image / only consortia images (because hosted in some SAP IAM):

• new client for issuer component needed DIM-Middle-Layer
  • setup_wallet
  • view_status_list
• technical user sa-dim-middle-layer-01 needed which has permission to access DIM-Middle-Layer with all its roles

New technical users for the issuer function ✅ done under "New Client Issuer Component" section

Portal needs a configured technical user to connect portal with SSI-Credential-Issuer

• Tech Role "Credential Issuer" with the following assigned roles from the new client Cl24-CX-SSI-CredentialIssuer
  • request_ssicredential
  • decision_ssicredential
  • view_use_case_participation
  • view_certificates
  • revoke_credentials_issuer
  • revoke_credential

Issuer Component needs a configured technical user to connect back to the portal

• Tech Role "Issuer Communication" with the following assigned roles from the new client Cl2-CX-Portal
  • send_mail (new Cl2-CX-Portal permission)
  • create_notifications (new Cl2-CX-Portal permission)
  • update_application_bpn_credential (new Cl2-CX-Portal permission)
  • update_application_membership_credential (new Cl2-CX-Portal permission)

Removal of portal permissions due to the new SSI Solution and Issuer component ✅

• remove decision_ssicredential permission from portal
• remove request_ssicredential permission from portal

Removal of portal permissions due to clean-up/matching roles&rights matrix obsolete marked permissions ✅

• remove upload_documents permission from portal
• remove my_user_account permission from portal
• remove view_tech_roles permission from portal
• remove setup_client permission from portal
• remove view_dataspaces permission from portal
• remove filter_apps permission from portal
• remove view_services permission from portal
• remove subscribe_service_offering permission from portal
• remove `` permission from portal

BPDM Roles & Right Concept adjustment ✅

• Clean up Cl7-CX-BPDM
  Valid Origin: https://partners-pool.{env}.demo.catena-x.net/*
  Description: BPDM Pool
  Permissions:

  • read_partner
  • write_partner
  • read_partner_member
  • read_changelog
  • read_changelog_member
  • read_metadata
  • write_metadata

• Clean up Cl16-CX-BPDMGate
  Valid Origin: https://partners-gate.{env}.demo.catena-x.net/*
  Description: Portal Gate
  Permissions:

  • read_input_partner
  • write_input_partner
  • read_input_changelog
  • read_output_partner
  • write_output_partner
  • read_output_changelog
  • read_sharing_state
  • write_sharing_state
  • read_stats

• Inside the technical_roles_management remove

  • "BPDM Gate Read"
  • "BPDM Gate Read & Write"
  • "BPDM Partner Gate"
  • "BPDM Management"
  • "BPDM Pool"

• Inside the technical_roles_management newly create

  • BPDM Sharing Admin
    With permissions:
    • read_input_partner
    • write_input_partner
    • read_input_changelog
    • read_output_partner
    • write_output_partner
    • read_output_changelog
    • read_sharing_state
    • write_sharing_state
    • read_stats
  • BPDM Sharing Input Manager
    • read_input_partner
    • write_input_partner
    • read_input_changelog
    • read_sharing_state
    • write_sharing_state
    • read_stats
  • BPDM Sharing Input Consumer
    • read_input_partner
    • read_input_changelog
    • read_sharing_state
    • read_stats
  • BPDM Sharing Output Consumer
    • read_output_partner
    • read_output_changelog
    • read_sharing_state
    • read_stats
  • BPDM Pool Consumer
    • read_changelog
    • read_changelog_member
    • read_metadata
  • BPDM Pool Admin
    • read_partner
    • write_partner
    • read_partner_member
    • read_changelog
    • read_changelog_member
    • read_metadata
    • write_metadata

• remove sa-cl7-cx-1 ✅
• remove sa-cl7-cx-2 - we need to inform Fabio - but I want to get rid of the user if possible ✅ (I asked Fabio, it's ok)
• update sa-cl7-cx-3 - assign BPDM Pool Admin ✅
• update sa-cl7-cx-4 - assign BPDM Pool Consumer ✅
• update sa-cl7-cx-5 - assign BPDM Pool Admin & BPDM Sharing Admin ✅
• update sa-cl7-cx-6 - assign BPDM Pool Consumer ✅
• update sa-cl7-cx-7 - assign BPDM Pool Admin & BPDM Sharing Admin ✅

Current Behavior

API returns 403 error forbidden while uploading the required file.
https://portal-backend.entry.cofinity-x.com/api/apps/AppReleaseProcess/b6efcea6-d871-4f3c-a33b-0ea48a7a26ce/roles

Request Method:
GET

Status Code:
403 Forbidden

Expected Behavior

App Manager can upload App Roles document.

Steps To Reproduce

1. Login to portal as App manager
2. Navigate to App Management ---> App Release Process → Register you App
3. Create App and proceed the next steps
4. On Technical Integration, upload the User Role file
5. Hit “Upload App roles“

Finding

App Manager is missing the role: view_client_roles from Cl2-CX-Portal required to access GET endpoint https://portal-backend.entry.cofinity-x.com/api/apps/AppReleaseProcess/{appid}/roles

QG checks

Please keep this issue open until QG X is concluded and will be managed by the Issue Creator!
We will inform you about finding and proposals in separated issues, this issue here is for the Overview of the Checks!

Please keep this issue open until QG X is concluded!

Product Name: Portal-IAM
Product Owner: @jjeroch
Dev SPOC: @evegufy
Helm Chart Version: 1.2.0-RC2
App Version: 1.2.0-RC2
QG5 Approval: yes/no

Check of Tractus-X Release Guidelines

This QG 4 Check is depending on the mandatory information from our current Release Guidelines.

TRG 1 Documentation

• TRG 1.01 appropriate README.md
• TRG 1.02 appropriate INSTALL.md
• TRG 1.03 appropriate CHANGELOG.md

TRG 2 Git

• TRG 2.01 default branch is named main

• TRG 2.03 repository structure

  Checks within TRG 2.03

  • TRG 2.03 /docs directory contains detailed product related documentation for the Tractus-X product
  • TRG 2.03 /charts directory contains the Helm chart for the Tractus-X product IF available
  • TRG 2.03 AUTHORS.md file (optional) (TRG 2.03)
  • TRG 2.03 CODE_OF_CONDUCT.md file (TRG 2.03)
  • TRG 2.03 CONTRIBUTING.md file (TRG 2.03)
  • TRG 2.03 DEPENDENCIES file(s) with up to date content (Dash tool generated) (TRG 2.03)
  • TRG 2.03 LICENSE file (TRG 2.03)
  • TRG 2.03 NOTICE.md file (TRG 2.03)
  • TRG 2.03 SECURITY.md file (TRG 2.03)

• TRG 2.04 Leading product repository

  Checks within TRG 2.04

  • TRG 2.04 repository name must be productname without prefix or suffix
  • TRG 2.04 should contain the release
  • TRG 2.04 references/urls to the product's other repositories
  • TRG 2.04 might contain product helm chart(s)
  • TRG 2.04 README.md: contains the urls for the underlying applications

• TRG 2.05 .tractusx metafile in a proper format

TRG 3 Kubernetes

• TRG 3.02 PersistentVolume and PersistentVolumeClaim is used when needed

TRG 4 Container

• TRG 4.01 semantic versioning and tagging

• TRG 4.02 top level README.md file, that contains information about the used base image

• TRG 4.03 Image has USER command and Non Root Container

  Checks within TRG 4.03

  • TRG 4.03 deployment.yaml has runAsUser and allowPrivilegeEscalation: false properly set

• TRG 4.05 released image must be place DockerHub as mandatory container registry; remove GHCR references

• TRG 4.06 Notice File for DockerHub has all necessary information

  Checks within TRG 4.06

  • TRG 4.06 Link to the source of your base image (Container registry and GitHub if available)
  • TRG 4.06 Link to your product image on DockerHub
  • TRG 4.06 Link to your repository on GitHub
  • TRG 4.06 Direct link to the Dockerfile used to build your image
  • TRG 4.06 Link to LICENCE file in your repo as Project License (make clear, that this is the PROJECT licence, not an image license

TRG 5 Helm

• TRG 5.01 Helm chart must be released

  Checks within TRG 5.01

  • TRG 5.01 appropriate semantic versioning for version and appVersion has to be used in Chart.yaml
  • TRG 5.01 must not contain any environment specific values-xyz.yaml
  • TRG 5.01 values.yaml file must contain proper default values/placeholders
  • TRG 5.01 No hostname provided for ingress
  • TRG 5.01 Ingress is disabled
  • TRG 5.01 No references to any secret engine service (e.g.: Hashicorp Vault)
  • TRG 5.01 Dependencies should be prefixed with the nameOverride and/or fullnameOverride properties
  • TRG 5.01 Image tag is set to the Chart.yaml appVersion property
  • TRG 5.01 must be deployable to any environment without overwriting default values with a simple helm install command
  • TRG 5.01 dependencies have to be declared in Chart.yaml NOT requirements.yml

• TRG 5.02 Helm chart location in /charts directory and correct structure

  Checks within TRG 5.02

  • TRG 5.02 each file must contain the Apache 2.0 Licence
  • TRG 5.02 latest tag is not used in helm chart be default

  charts/ 
      chartNameA/
        Chart.yaml
        ... 
      chartNameB/
        Chart.yaml
        ...
  AUTHORS.md 
  DEPENDENCIES.md 
  LICENCE 
  README.md 

• TRG 5.04 CPU and memory limits and requests are properly set

• TRG 5.06 application must be configurable through the Helm chart

• TRG 5.07 dependencies are present in the Chart.yaml they are properly configured

• TRG 5.08 a product has a single deployable helm chart that contains all components

  Checks within TRG 5.08

  • TRG 5.08 name of the Chart should be just the product-name without prefix or suffix
  • TRG 5.08 values file should contain all available variables (even from subcharts) with default values and comments about what they do
  • TRG 5.08 helm install command should successfully install the chart to any supported Kubernetes version cluster (without overwriting default values)
  • TRG 5.08 helm test runs without errors

• TRG 5.09 Helm Test running properly

  Checks within TRG 5.09

  • TRG 5.09 A GitHub action exist which builds or uses the helm chart which gets released
  • TRG 5.09 The GitHub action can be triggered manually through Github WebUI manually running a workflow
  • TRG 5.09 Helm test verifies that the application is up and running

• TRG 5.10 Products need to support 3 versions at a time

  Checks within TRG 5.10

  • TRG 5.10 latest (K8s version 1.25)
  • TRG 5.10 latest - 1 (K8s version 1.24)
  • TRG 5.10 latest - 2 (K8s version 1.23)

• TRG 5.11 Upgradeability PRERELEASE

  Checks within TRG 5.11

  • TRG 5.11 Based on the Helm test workflow, you must provide a GitHub action which takes the latest released helm chart, does an installation of it and then execute the upgrade to the current / new version.

TRG 6 Released Helm Chart

• TRG 6.01 Released Helm Chart

TRG 7 Open Source Governance

• TRG 7.01 Legal Documentation

• TRG 7.02 License and copyright header

• TRG 7.03 IP checks for project content

• TRG 7.04 IP checks for 3rd party content

  Checks within TRG 7.04

  • TRG 7.04 DEPENDENCIES file is up-to-date and reflects the current use of the 3rd party content
  • TRG 7.04 all libraries listed there should have the status "approved"
  • TRG 7.04 no libraries with status "rejected"
  • TRG 7.04 for libraries with status "restricted", the according IP issues must be present (issue number in the source column)

• TRG 7.05 Legal information for distributions

• TRG 7.06 Legal information for end user content

• TRG 7.07 Legal notice for documentation

Hints

Information Sharing

Summary

CentralIdP: CX-Central realm updates (init container image) based on latest test results.

Follow up to #66.

CX-Central realm updates

The following bugfixes need to be implemented in the new release:

Seeded service accounts

1. BPN mapper and user attribute "bpn" were added to the following service accounts:

• sa-cl1-reg-2
• sa-cl2-01
• sa-cl2-02
• sa-cl2-03
• sa-cl2-04
• sa-cl2-05
• sa-cl24-01
• sa-cl7-cx-5
• sa-cl8-cx-1

✅

2. Fix role assignment and BPN od sa-cl3-cx-1

• remove composite roles "Identity Wallet Management" and "Dataspace Discovery"
• change to bpn value in user attribute to CX-Operator BPN

✅

Specific Changes on BPDM

• Role "Company Admin" inside the client "Cl1-CX-Registration" need to get following permissions added:

  • read_partner_member of client Cl7-CX-BPDM ✅
  • read_changelog_member of client Cl7-CX-BPDM ✅
  • read_metadata of client Cl7-CX-BPDM ✅
  • read_partner of client Cl7-CX-BPDM ✅

• Role "Company Admin" inside the client "Cl2-CX-Portal" need to get following permissions added:

  • read_partner_member of client Cl7-CX-BPDM ✅
  • read_changelog_member of client Cl7-CX-BPDM ✅
  • read_metadata of client Cl7-CX-BPDM ✅

• Role "CX Admin" inside the client "Cl2-CX-Portal" need to get following permissions added:

  • all permissions of Cl7-CX-BPDM ✅
  • all permissions of Cl16-CX-BPDMGate ✅

New Role needed

"Business Partner Data Manager" inside the client "Cl2-CX-Portal", with following permissions

• read_partner_member of client Cl7-CX-BPDM ✅
• read_changelog_member of client Cl7-CX-BPDM ✅
• read_metadata of client Cl7-CX-BPDM ✅
• and all CX User permissions ✅

=> assign this new role inside the portal DB to all collection. Each company role can assign this role to their users. ✅

Add the role "BPDM Pool Sharing Consumer" inside the client technical_roles_management and assign following permissions

• read_partner_member of client Cl7-CX-BPDM ✅
• read_changelog_member of client Cl7-CX-BPDM ✅
• read_metadata of client Cl7-CX-BPDM ✅
• read_changelog of client Cl7-CX-BPDM ✅

=> assign this new role inside the portal DB to the collection CX Operator ✅

The following technical user roles should be available for app/service providers (this is given by linking those roles to the respective collection/company role) in the portal DB.

• BPDM Sharing Input Consumer
• BPDM Sharing Output Consumer

✅
done by eclipse-tractusx/portal-backend#707

Assign the role BPDM Pool Consumerof the client technical_user_management to all Composite roles in the Portal Client.

• CX Admin ✅
• Company Admin ✅
• Business Admin ✅
• IT Admin ✅
• CX User ✅
• Purchaser ✅
• App Developer ✅
• App Manager ✅
• Sales Manager ✅
• Service Manager ✅
• Business Partner Data Manager ✅

Add Permission

Add new permission view_credential_requests to the client Cl24-CX-SSI-CredentialIssuer ✅

Fix for Cl24-CX-SSI-CredentialIssuer and assignment to composite Portal roles

Those specific assignments:

CX Admin

• add "view_use_case_participation" ✅
• add "revoke_credentials_issuer" ✅
• add "revoke_credential" ✅
• add "view_certificates" ✅
• add "view_credential_requests" ✅

Company Admin

• add "view_use_case_participation" ✅
• add "revoke_credential" ✅
• add "view_certificates" ✅
• add "view_credential_requests" ✅

IT Admin

• add "view_use_case_participation" ✅
• add "revoke_credential" ✅
• add "view_certificates" ✅
• add "view_credential_requests" ✅

Business Admin

• add "view_use_case_participation" ✅
• add "revoke_credential" ✅
• add "view_certificates" ✅
• add "view_credential_requests" ✅

Additionally, "view_credential_requests" => to be assigned to all Portal Client Roles

• CX User ✅
• Purchaser ✅
• App Developer ✅
• App Manager ✅
• Sales Manager ✅
• Service Manager ✅
• Business Partner Data Manager ✅

BTW: "view_certificates" refers to credential not certificates, it's poorly named role

Re-add "request_ssicredential" role to client Cl2-CX-Portal (removed as part of #66) ✅

Newly create "service_management" for client Cl2-CX-Portal ✅

Clean-up of the App Manager role:

• remove "add_user_account" ✅
• add "view_connectors" ✅
• add "view_app_subscription" ✅
• add "view_service_subscriptions" ✅

Business Admin

• add "view_client_roles" ✅
• add "view_own_user_account**?** ✅
• add "update_own_user_account" ✅
• remove "view_connectors" ✅
• add "view_documents" ✅
• add "view_membership" ✅
• add "delete_notifications" ✅
• add "request_ssicredential" (Client: portal) ✅

IT Admin

• add "view_documents" ✅
• add "request_ssicredential" (Client: portal) ✅

Service Manager

• add "add_self_descriptions" ✅
• add "delete_documents" ✅
• add "service_management" ✅

App Developer

• add "view_license_types" ✅
• add "view_service_subscriptions" ✅

Sales Manager

• add "view_app_subscription" ✅
• add "app_management" ✅
• add view_service_subscriptions ✅
• add "service_management" ✅

CX Admin

• add "service_management" ✅
• add "request_ssicredential" (Client: portal) ✅

Purchaser

• add "subscribe_service" ✅
• add "view_service_subscriptions" ✅

CX User

• add "view_service_subscriptions" ✅

Company Admin

• add "request_ssicredential" (Client: portal) ✅